Control 20 Mapping to the NIST Cybersecurity Framework

00:00

Hey, everyone, welcome back to the course. So in the last video, we took a look at an overview of CS Control 20. So again, that was around Penetration test and red team exercises And this video we're to see how that maps up to the NUS cybersecurity framework.

00:15

So some control 20.1. We just want to establish a pen testing program. Now, if you're smaller company out there, you may not want to have your own program, but you do want to be able to contract with other organizations that can come in and do the pen test for you.

00:28

Worst case scenario, you just want to at least run a vulnerability scan to see what kinds of issues you may have.

00:35

So C s sub control 20.2 again. Just making sure that you conduct regular external and internal pen tests.

00:44

Sub control 20.3, performing pure Arctic red team exercises. So if you're not familiar with what that is, basically the red teaming is you're taking the pen test of the next level. Rights were actively testing the blue team or the defensive side of things, so we're actively trying to get past their defenses while they're actively trying to defend us, right? As opposed to a pen test where

01:02

we're just finding those vulnerabilities and showing we can exploit them.

01:04

We actually have a human element that opposing us during a red team exercise

01:11

some control 24 include test for the presence of unprotected system information and artifacts. So what are we finding on our systems? We need to include test for that.

01:21

And you notice that many of these don't actually match up 1 to 1 to the new cybersecurity framework, but they're still very important for your organization.

01:30

We also want to basically create a test bed. So have that test network that weaken test things that aren't typically tested in the production environment. So, as an example, looking at the critical infrastructure space, I want to have a separate network that I can use to run Ah, pen test on to show what scenarios could occur

01:49

without shutting down like a controller. Right PLC.

01:53

So I want I don't I don't want to damage things that are that are vital. But I want to be able to show that Hey, the reason we needed patch these things is because of this, right? So that's what we're talking about there having that separate network that we contest on

02:07

some control. 26 use formed vulnerability skinning and pen testing

02:10

together. Right? What's the point in doing a pen test? If you don't know what vulnerabilities there, what's the point? Running a vulnerability scanner If you don't know if these air actually accept exploitable or not for your particular system, so you want to use them in tandem together or in concert together, you want to use them together to maximize your ability to protect your organization.

02:31

So controlled. 27.

02:34

Ensure that you're actually documenting the pen test results, as well as make sure that they're open and machine readable standards so you can keep in aggregated data base of the the information. So if you're not doing the pen, test yourself,

02:46

then the third party that you're hiring usually will do this part for you, though usually collecting information and then generate a readable report for you to present to the board or upper management and other individuals in the organization with a need to know.

03:01

Sub control. 28 Control Monitor the accounts that are associate with pen testing. So let's make sure that

03:07

once we've authorized credentials that are being used for the pen test pen testers, we want to be able to go ahead and revoke those as well, right? We don't want someone coming behind them and having that same level of access.

03:21

So this video, we just talk through a brief overview of how control 20 might map to the next cybersecurity framework. You notice that it really doesn't map in most cases.